1. Field of Invention
This invention relates generally to the management of identity information in computer networks.
2. Prior Art
An Identity Metasystem is a collection of interoperable computing elements on a computer network which enables users of the services provided by the network to manage and exchange their digital identities. In an Identity Metasystem, an Identity Provider is a network server responsible for authenticating users, and a Relying Party is a network server which requires an authenticated user identity in order to provide service. The Identity Metasystem defines the mechanisms that enable a Relying Party to validate that a user requesting service from that Relying Party has been previously authenticated by an Identity Provider, in which the Relying Party is a web service based on the Simple Object Access Protocol (SOAP), or web server based on the Hypertext Transfer Protocol (HTTP).
The document “A Technical Reference for the Information Card Profile V1.0”, published in December 2006 by Microsoft Corporation, describes the network communication protocols by which an Identity Selector may obtain the token requirements of a Replying Party, then authenticate to an Identity Provider, and finally send a token obtained from an Identity Provider to a Relying Party. The protocols defined in “A Technical Reference for InfoCard v1.0 in Windows” specify a protocol exchange in which the protocols defined in the documents Web Services Security: SOAP Message Security 1.0 (WS-Security 2004), Web Services Trust Language (WS-Trust), Web Services Security Policy Language (WS-SecurityPolicy) and Web Services Metadata Exchange (WS-MetadataExchange), all of which are based on the Simple Object Access Protocol (SOAP), are to be used for the communication between the Identity Selector and the Relying Party. The Simple Object Access Protocol is typically used between applications in a web services framework.
The document “A Guide to Supporting InfoCard v1.0 Within Web Applications and Browsers”, published in March 2006 by Microsoft Corporation, describes the network communication protocols by which an Identity Selector may obtain the token requirements of a Relying Party and send a token obtained from an Identity Provider to a Relying Party using the Hypertext Transfer Protocol (HTTP) and Hypertext Markup Language (HTML). The Hypertext Transfer Protocol is typically used by a web browser to communicate with a web server to web application.
FIG. 2 illustrates the components of the prior art of identity metasystem. In the prior art, a user will contact a Relying Party service using their web browser client. The Relying Party will prompt the user to authenticate, and the client will display an Identity Selector, by which the user may select a managed card issued by an Identity Provider. The Identity Selector will contact the Identity Provider, and obtain a token for the Relying Party. The Relying Party will receive this token from the Identity Selector, and from it extract one or more claims about the user.